Apache Reverse Proxy setting for site having Spring Security

I've been struggling with this same problem for a few days and I might have cracked it. I'm new to Spring Security so don't take this as gospel! Others might object... I'm using Apache 2.4 (on OS X) and Spring Security 4.1.1.

Everything ran perfectly well running locally, but whenever it was deployed to run behind a reverse proxy I got 404 errors every time I logged in. After much head scratching and Googling, here's what I found:

(As I don't have enough reputation points to post more that 2 links I've had to use a space after 'http://' for the URLs!)

Suppose Apache and Tomcat are running on the same host (localhost) with Apache configured to proxy requests from www.example.com to our web app deployed under the context path '/webapp'

    ProxyPass / http://localhost:8080/webapp/
    ProxyPassReverse / http://localhost:8080/webapp/

1. External client requests protected URL: http:// www.example.com/secret

   GET /secret HTTP/1.1
   

2. Apache proxies this to http:// localhost:8080/webapp/secret

3. One of Spring's security filters intervenes and responds with a redirect to /login

   HTTP/1.1 302 Found
   Location: http://www.example.com/login
   

4. Browser fetches URL

   GET /login HTTP/1.1
   

5. Apache proxies this to http:// localhost:8080/webapp/login

6. Spring responds with its default login page

   HTTP/1.1 200 OK
   

7. The interesting thing to note at this point is that the login form generated by Spring prefixes the forms action element with the context path (i.e. action="/webapp/login"). When you then click the submit button, a POST is performed to the URL /webapp/login

   POST /webapp/login HTTP/1.1
   

We now have a problem. When Apache proxies this to the backend server, the resulting URL will be http:// localhost/webapp/webapp/login. You can see this in the catalina.out log showing there is no handler that can handle the request as the context path is now appearing twice in the URL.

The problem here is that the ProxyPass and ProxyReversePass directives (mod_proxy module) only modifies the HTTP Location header, the URL is left untouched. What is needed is to strip the context path from the URL before it reaches the proxy which will add it back on. Apache's RewriteRule seems to do the trick:

RewriteRule /webapp/(.*)$ http://localhost:8080/webapp/$1 [P]

Although this solved the 404 errors and I could see Apache was now proxying to the correct URL, I was constantly getting the login page re-displayed every time I logged in. This next bit of config seems to resolve this:

ProxyPassReverseCookieDomain localhost www.example.com
ProxyPassReverseCookiePath /webapp/ /

I believe this may be because the proxying was causing the domain and path in the cookie to be set incorrectly, but I have to read up some more about that!

I hope this helps someone else out there, and people with more expertise than me in this area can comment on whether this is a fair solution...

Related videos on Youtube

07 : 59

Apache Reverse Proxy Configuration Example

Cameron McKenzie

105

15 : 54

Setting reverse proxy using apache

Mahtab Alam مهتاب

65

14 : 48

A Complete Guide to Apache 2.4.x HTTP/HTTPS Reverse Proxy

Brain I/O

45

08 : 35

Apache Reverse Proxy Configuration to Access Different Applications by Subdomains

Tech Guides

40

11 : 13

Setup Apache Server as forward proxy, reverse proxy & load balancer. Step by step implementation

Codeboard Club

24

03 : 57

DevOps & SysAdmins: Apache Reverse Proxy setting for site having Spring Security (3 Solutions!!)

Roel Van de Paar

0

Author by

AAgg

Being an Embedded Developer for 10 yrs, now learning Web Development and associated technologies... Started with Java Spring, Hibernate, JPA, Postgre, Tomcat/Apache, JSP, Javascript, jQuery, Solr ... Thankful to Open Source Software for making such great products and SO for supporting developer community !!!

Updated on September 18, 2022